One of the first things security professionals recommend when you install new programs, systems or hardware is that you change the default password immediately. And, if a system has been breached or is vulnerable to a potential breach, most security professionals recommend your Users change their passwords as a precaution.
Now, what if the password was hard-coded into the system and could not be changed without throwing all systems into chaos and disrupting or halting operations?
And what if the default password for your software had been shared in online forums since 2008?
That would never happen, right…?
Unfortunately this is exactly what has happened to Siemens and their SCADA software. SCADA (supervisory control and data acquisition) software is commonly used in utilities and has become a popular target for hackers of all types. For example, Stuxnet malware is targeting Siemens SCADA software, searching for certain software and then applying the hard-coded password to access the access control database. Once this database is accessed the malware can steal information. Changing the passwords and blocking the malware’s attempts may create even bigger issues.
So, what are the lessons learned here?
1) Default passwords are and always will be a major vulnerability.
2) Passwords should not be hardcoded into a system.
3) Passwords should not be shared on online forums and if they are, the password should immediately be changed!
4) Changing passwords should not cause systems to stop working.
If you work in a utility or organization utilizing SCADA software…be aware and be prepared.